Botnets Using Ubiquity For Security 95
Trailrunner7 sends in this excerpt from Threatpost: "As major botnet operators have moved from top-down C&C infrastructures, like those employed throughout the 1990s and most of the last decade, to more flexible peer-to-peer designs, they also have found it much easier to keep their networks up and running once they're discovered. When an attacker at just one, or at most two, C&C servers was doling out commands to compromised machines, evading detection and keeping the command server online were vitally important. But that's all changed now. With many botnet operators maintaining dozens or sometimes hundreds of C&C servers around the world at any one time, the effect of taking a handful of them offline is negligible, experts say, making takedown operations increasingly complicated and time-consuming. It's security through ubiquity. Security researchers say this change, which has been occurring gradually in the last couple of years, has made life much more difficult for them. ... Researchers in recent months have identified and cleaned hundreds of domains being used by the Gumblar botnet, but that's had little effect on the botnet's overall operation."
Re:ISP accountability (Score:3, Insightful)
how would the ISP inform the customer that they've been infected?
obviously web or email would just open them up to the usual phishing.
Re:ISP accountability (Score:4, Insightful)
The cost to the ISPs would be fairly significant. It's not simply the potential lost revenue from disabling unwitting users, but forcing the issue will also generate a good deal of customer interaction. Talking with customers will generally result in additional costs as well as dealing with potential infections.
It's not an act of benevolence, but rather it is assuming responsibility. If you don't treat the issue for the customer then they may simply take the path of least resistance. ie, they may ultimately simply find another provider. Conversely, attempting to correct the problem will also result in issues as you now have the responsibility of restoring the customers computer to working order.
Ultimately, all of these risks and more would have to outweigh the costs of fixing the problem. I'm glad I don't have to deal with these kinds of issues anymore because trying to pitch an act of altruism to the company owner probably would not have worked.
With that said there are basically a few ways to approach the issue. Tighter regulation which states ISP's have to shepard their flock, fines on non-compliance or grants to award certain infection threshold reductions. In the end it really is about making one choice more expensive then the other.
Re:ISP accountability (Score:1, Insightful)
Here's why an ISP won't do that (disconnect the customer)--because the customer WILL take care of it by SWITCHING ISPs. ISPs hope to MAKE money, not lose it. So they won't do something that drives customers away.
Why should the ISP be responsible for a problem that is the customer's problem anyway?
Re:ISP accountability (Score:5, Insightful)
It seems to me there is an accountability gap for ISPs. Those providing network connections are not held accountable for machines on their network.
And the moment they do that, they'll be expected to police for other illegal or immoral activity, like video and music downloading, content monitoring, deep packet inspection, and more. The operating costs go up as well, making them less competitive compared to other ISPs that do not monitor their customer's habits.
No, security needs to be managed by the owner of the machine. The ISP only has the responsibility to ensure that the customer has reasonable access through its networks, and perhaps a measure of QoS filtering/rate limiting/etc., to manage a shared (and limited) resource. Unless the bot is commanding the machine to use lots of network resources, its impact to other users is negligible from the ISPs perspective.
Re:ISP accountability (Score:2, Insightful)
"...fines [fining ISPs] on non-compliance..."
Why not fine the actual owner of the computer that's causing the problem? That would generate more motivation both to ISPs and end users. The user would seek an ISP that has excellent and quick detection and alerting facilities to protect him/her from fines. The user would be motivated to keep his/her machine more up-to-date. The user would have monetary motivation to purchase help if he/she can't administer his/her own computer effectively from someone competent.
Targeting the ISP only will just raise rates and make users hate their ISPs more. And why should the ISP (who doesn't own the computer that's infected, who didn't click on the phishing link, who didn't install that trojan toolbar, but only provided, at the END USER'S REQUEST, a connection that allowed the user to accomplish this) bear responsibility and not the end user?
I think too many end-user slashdotters are lazy and want someone else to nanny-state-take-care-of-them instead of bearing personal responsibility. *sigh* That's pretty much the state of modern society... Mama/papa government will take care of us!
Re:They seem to throttle their "attacks" as well. (Score:5, Insightful)
There's no point sending any spam, if not your estimated 30 million messages, only to collapse the server and not relay the messages to the recipients.
The botnet operators probably think of this as an optimization problem and not good manners.
Re:ISP accountability (Score:4, Insightful)
It seems to me there is an accountability gap for ISPs. Those providing network connections are not held accountable for machines on their network.
And why should they be? If I sell you a fishing line, it isn't my job to ensure you don't choke somebody with it. Or for an even better analogy, look at the phone networks. Generally, if someone is calling you on the phone and harassing you, the phone company will not disconnect that person. They'll offer to change your number. It takes a _lot_ of complaints for them to cut off service to an offender. Same thing goes on the internet. Yes, botnets _will_ eventually be cut off, but it takes a lot of complaints. Otherwise, who decides what's malware?
Re:ISP accountability (Score:4, Insightful)
You know, that's very true. Residential customers may stick with their provider (how many AOL users are still out there), but hosting customers will jump ship if they get disconnected. I had a friend who's SQL server got unplugged when a MSSQL worm was going around. It wasn't infected, but for the "safety of the datacenter" one of the techs walked around and pulled the power cord on any machine labeled "SQL". He called, and they couldn't resolve the problem. They said "we don't see anything wrong." When he got there, he found his machine was unplugged, just like quite a few other customers SQL boxes. Two days later, his equipment was in another datacenter.
Re:Some news from Australia on this (Score:2, Insightful)
Huh? ISPs already have this power. It's called "owning their infrastructure". If AISI stops providing accurate information, people will stop trusting it. This isn't a mandated cut-off - it's an advisory notice. ISPs aren't even obliged to pass it on.
Re:They seem to throttle their "attacks" as well. (Score:2, Insightful)